Re: JNDI property roleSearchAsUser not working as expected

[Felix Schumacher]

Am 14.03.2013 15:54, schrieb Eugène Adell:
I still wonder, why you are so reluctant to use a technical user. Especially 
since you have security concerns about the anonymous user.
To find someone's roles, LDAP only requires a bind + a search in groups. It is 
a simple ldapsearch command for the ones using command lines.
But you have to know which user is doing the search, right?
Tomcat does not know which user is logging in at start, it will search 
for the user with one of the methods 'userSearch' or 'userPattern'.

The first will have to do a search to find the users dn, the second one 
could theoretically build the dn and do a bind. But since the 
'userPattern' approach can be configured to have more than one dn to 
look up, it would have to do more than one login try, which could be 
harmful for the performance, if your directory server gives penalty 
pauses for wrong credentials.
But when connecting through Tomcat we also need extra either one more account 
or allowing anonymous bind. This is not logical to add extra work to anything 
which could stay simple.
see above.

About security, we can ask any user to change its password on a monthly or 
quarterly basis. The technical account should be under the same security 
control with expiring passwords and it is not good practice to stop client 
applications especially when there are many, or in production environment. The 
anonymous bind is free from such problem, and it's not much worse than a 
password stored in a config file.
I don't think, that it is necessary to use the same security enforcement 
for technical users as for real users, but every one will have a 
different opinion on security policies, so yours is as valid as every 
ones :)

On the other hand, given the frequent updates of tomcat itself, you will 
have to restart your servers in order to stay updated quite often already...

Regards
 Felix

________________________________________
De : Felix Schumacher [felix.schumac...@internetallee.de]
Envoyé : jeudi 14 mars 2013 15:28
À : Tomcat Users List
Objet : RE:RE:JNDI property roleSearchAsUser not working as expected

"Eugène Adell" <eugene.ad...@d2-si.eu> schrieb:

Thanks Felix,

I will choose the easy way by allowing the anonymous to bind the
directory, against all security logics, and strengthen the ACL to
forbid anonymous search.

Anyway, the bug 19444 is closed saying the new parameter (introduced in
7.0.9  and corrected in 7.0.30) allows role searching with the
authenticating user. That's true, but we still need either the
anonymous or a technical user for the startup binding. It's not really
compliant to real-life LDAP management.

I still wonder, why you are so reluctant to use a technical user. Especially 
since you have security concerns about the anonymous user.

Regards
Felix

best regards



________________________________________
De : Felix Schumacher [felix.schumac...@internetallee.de]
Envoyé : jeudi 14 mars 2013 14:22
À : Tomcat Users List
Objet : RE:JNDI property roleSearchAsUser not working as expected

Am 14.03.2013 13:40, schrieb Eugène Adell:
This doc is self-contradictory because it suggests "to setup a
technical user" when we "don't want to configure a technical user",
and it doesn't give any solution when we are not the admin of the
directory.
I can't read that out of the docs for roleSearchAsUser as stated on
http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#JNDI_Directory_Realm_-_org.apache.catalina.realm.JNDIRealm

It is just a mechanism to switch from the credentials when searching
for roles.

That way you can restrict the rights to the anonymous/admin user, so
that it doesn't need to be able to lookup groups/roles for a user.

Here we learn that Tomcat JNDI Realm only works in "Administrator
Login Mode" with an administrator login/password (in fact the
"technical user" discussed above) :

http://tomcat.apache.org/tomcat-7.0-doc/funcspecs/fs-jndi-realm.html
I believe the "Administrator Login Mode" is used for retrieving
attributes out of an users object and comparing the values to some
given
credentials. The "User Login Mode" is used when a bind is performed to
check the credentials. But either way, you will have to setup a
technical user, or open the directory server to allow anonymous binds
and searches for the user dn's.

 From this, it seems that roleSearchAsUser is only usefull when the
anonymous bind is allowed. It's another contradiction here, because
it
seems logical to use this parameter especially when anonymous is not
allowed.
You will not get to the point where the role is being searched, since
before that there are two points, where your directory is being
accessed.
  1. initial test of connection (which you reported in your first mail)
  2. look up of the user, which wants to login (and since the username
to bind with is not known, it will be hard to guess)

So as stated before the easiest thing is to just use a technical user
to connect to the directory.

Regards
  Felix


________________________________________
De : Felix Schumacher [felix.schumac...@internetallee.de]
Envoyé : jeudi 14 mars 2013 12:03
À : Tomcat Users List
Objet : Re: JNDI property roleSearchAsUser not working as expected

Am 13.03.2013 21:46, schrieb Eugène Adell:
Hello

I am running the following :
   java version "1.6.0_25"
   Java(TM) SE Runtime Environment (build 1.6.0_25-b06)
   Java HotSpot(TM) Client VM (build 20.0-b11, mixed mode, sharing)
   Tomcat 7.0.37
   CentOS release 6.3

with this REALM  configuration in server.xml :
                         <Realm
className="org.apache.catalina.realm.JNDIRealm"
                           connectionURL="ldap://***.***.***.***:389";

userPattern="cn={0},ou=users,dc=example,dc=com"
                           roleBase="ou=groups,dc=example,dc=com"
                           roleSubtree="true"
                           roleNested="true"
                           roleName="cn"
                           roleSearchAsUser="true"
                           roleSearch="(uniqueMember={0})" />

and this triggers this error during the startup :
Mar 13, 2013 8:14:49 PM org.apache.catalina.realm.JNDIRealm open
WARNING: Exception performing authentication
javax.naming.AuthenticationNotSupportedException: [LDAP: error code
48 - anonymous bind disallowed]
         at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3032)
         at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
         at
com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2789)
         at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2703)
         at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:293)
         at

com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:175)
         at

com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:193)
         at

com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:136)
         at

com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:66)
         at

javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
         at

javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
         at javax.naming.InitialContext.init(InitialContext.java:223)
         at
javax.naming.InitialContext.<init>(InitialContext.java:197)
         at

javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:82)
         at
org.apache.catalina.realm.JNDIRealm.open(JNDIRealm.java:2150)
         at

org.apache.catalina.realm.JNDIRealm.startInternal(JNDIRealm.java:2241)
...
         ... 27 more
Mar 13, 2013 8:14:49 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 34 ms


 From what I understand, roleSearchAsUser property was designed for
people who need to bind on any LDAP where anonymous bind is not
authorized. But it's just impossible to do this if the JNDI Realm
tries to authenticate anonymously by itself during the startup.
I read the docs as follows:

If your directory server does not allow to scan for roles as
anonymous
user and you don't want to configure a technical user (by specifying
connectionName and connectionPassword) you can delegate the
credentials
of the user that is currently logging in.

It is not intended to set the user credentials for all ldap
operations.

The easiest way to fix it, is to setup an technical user inside your
directory, which has no right other than to login and lookup your
users,
which would be the next operation.

Regards
   Felix
I suppose it's necessary to investigate further this bug :
https://issues.apache.org/bugzilla/show_bug.cgi?id=19444


Thanks


---------------------------------------------------------------------



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org